Regarding the log4j vulnerability, the only program to our knowledge in TeX Live which uses the Log4j class is the arara utility; further, arara is not directly impacted by this issue, as admirably explained in this Arch Linux issue. Nevertheless, arara has been updated in TL (and on CTAN, and upstream). No program in TL calls arara internally.
The main TeX engines (TeX, pdfTeX, XeTeX, LuaTeX, etc.), are completely unaffected by log4j. LaTeX and other formats are also completely unaffected.
Regarding MikTeX, no log4j dependencies have been added to the engines or formats in that distribution either, so TeX, LaTeX, etc., are safe there as well.